FORM authentication

Felix Li

Ranch Hand

Posts: 38

posted 8 years ago

I have implemented an app using FORM auth method and it is working well. BUT, I still have questions

How is the container actually handling it in the background? If I have map report.jsp to use the FORM login method, would the container ask me EVERYTIME when I am directed to report.jsp no matter it is from the url, response.redirect() or requestDispatcher? if this is the case, then it must be a heck of a confusion if I were to map the url-pattern to /* !!! That means everytime I enter ANY pages, I am being prompted back to login.jsp to login!

Soooooo..... I suppose the container is making use of the sessionnnnnnnnnn......

Greatly appreciated if someone point me to the right direction. Thanks in advance.

That means everytime I enter ANY pages, I am being prompted back to login.jsp to login!

Of course, you will be prompted only once The container will keep the user's Principal in his pocket. Some information are given in the servlets specification, SRV.12.5.3.1 Login Form Notes :

Form based login and URL based session tracking can be problematic to implement. Form based login should be used only when sessions are being maintained by cookies or by SSL session information.

If the user is authenticated using form login and has created an HTTP session, the timeout or invalidation of that session leads to the user being logged out in the sense that subsequent requests must cause the user to be re-authenticated.. [ October 16, 2008: Message edited by: Christophe Verre ]